| Message ID | CACHq7je=A6YTDse-mGJ_dGE9UgxcATgBqHwSJK0TTEmQiKmnfg@mail.gmail.com |
|---|---|
| State | New |
| Headers | show |
On Tue, Oct 29, 2019 at 02:42:47PM +0100, Mattias Wadman wrote: > A too big picture will case the muxer to write a truncated block size (uint24) > causing the output file to be corrupt. > > How to reproduce: > > Write a file with truncated block size: > ffmpeg -y -f lavfi -i sine -f lavfi -i color=red:size=2400x2400 -map > 0:a:0 -map 1:v:0 -c:v:0 bmp -disposition:1 attached_pic -t 1 test.flac > > Try to decode: > ffmpeg -i test.flac test.wav > > Signed-off-by: Mattias Wadman <mattias.wadman@gmail.com> > --- > libavformat/flacenc.c | 10 ++++++++-- > 1 file changed, 8 insertions(+), 2 deletions(-) > > diff --git a/libavformat/flacenc.c b/libavformat/flacenc.c > index 93cc79bbe0..7b51c11404 100644 > --- a/libavformat/flacenc.c > +++ b/libavformat/flacenc.c > @@ -93,7 +93,7 @@ static int flac_write_picture(struct AVFormatContext > *s, AVPacket *pkt) > AVDictionaryEntry *e; > const char *mimetype = NULL, *desc = ""; > const AVStream *st = s->streams[pkt->stream_index]; > - int i, mimelen, desclen, type = 0; > + int i, mimelen, desclen, type = 0, blocklen; > > if (!pkt->data) > return 0; > @@ -140,8 +140,14 @@ static int flac_write_picture(struct > AVFormatContext *s, AVPacket *pkt) > desc = e->value; Applying: libavformat/flacenc: reject too big picture blocks error: corrupt patch at line 10 probably line/word wrap [...]
Sorry i failed to get gmail to play nice with patches :( sent a new message using git send-email, hope that works. On Wed, Oct 30, 2019 at 12:51 PM Michael Niedermayer <michael@niedermayer.cc> wrote: > > On Tue, Oct 29, 2019 at 02:42:47PM +0100, Mattias Wadman wrote: > > A too big picture will case the muxer to write a truncated block size (uint24) > > causing the output file to be corrupt. > > > > How to reproduce: > > > > Write a file with truncated block size: > > ffmpeg -y -f lavfi -i sine -f lavfi -i color=red:size=2400x2400 -map > > 0:a:0 -map 1:v:0 -c:v:0 bmp -disposition:1 attached_pic -t 1 test.flac > > > > Try to decode: > > ffmpeg -i test.flac test.wav > > > > Signed-off-by: Mattias Wadman <mattias.wadman@gmail.com> > > --- > > libavformat/flacenc.c | 10 ++++++++-- > > 1 file changed, 8 insertions(+), 2 deletions(-) > > > > diff --git a/libavformat/flacenc.c b/libavformat/flacenc.c > > index 93cc79bbe0..7b51c11404 100644 > > --- a/libavformat/flacenc.c > > +++ b/libavformat/flacenc.c > > @@ -93,7 +93,7 @@ static int flac_write_picture(struct AVFormatContext > > *s, AVPacket *pkt) > > AVDictionaryEntry *e; > > const char *mimetype = NULL, *desc = ""; > > const AVStream *st = s->streams[pkt->stream_index]; > > - int i, mimelen, desclen, type = 0; > > + int i, mimelen, desclen, type = 0, blocklen; > > > > if (!pkt->data) > > return 0; > > @@ -140,8 +140,14 @@ static int flac_write_picture(struct > > AVFormatContext *s, AVPacket *pkt) > > desc = e->value; > > Applying: libavformat/flacenc: reject too big picture blocks > error: corrupt patch at line 10 > > probably line/word wrap > > [...] > > -- > Michael GnuPG fingerprint: 9FF2128B147EF6730BADF133611EC787040B0FAB > > If you fake or manipulate statistics in a paper in physics you will never > get a job again. > If you fake or manipulate statistics in a paper in medicin you will get > a job for life at the pharma industry. > _______________________________________________ > ffmpeg-devel mailing list > ffmpeg-devel@ffmpeg.org > https://ffmpeg.org/mailman/listinfo/ffmpeg-devel > > To unsubscribe, visit link above, or email > ffmpeg-devel-request@ffmpeg.org with subject "unsubscribe".
diff --git a/libavformat/flacenc.c b/libavformat/flacenc.c index 93cc79bbe0..7b51c11404 100644 --- a/libavformat/flacenc.c +++ b/libavformat/flacenc.c @@ -93,7 +93,7 @@ static int flac_write_picture(struct AVFormatContext *s, AVPacket *pkt) AVDictionaryEntry *e; const char *mimetype = NULL, *desc = ""; const AVStream *st = s->streams[pkt->stream_index]; - int i, mimelen, desclen, type = 0; + int i, mimelen, desclen, type = 0, blocklen; if (!pkt->data)
A too big picture will case the muxer to write a truncated block size (uint24) causing the output file to be corrupt. How to reproduce: Write a file with truncated block size: ffmpeg -y -f lavfi -i sine -f lavfi -i color=red:size=2400x2400 -map 0:a:0 -map 1:v:0 -c:v:0 bmp -disposition:1 attached_pic -t 1 test.flac Try to decode: ffmpeg -i test.flac test.wav Signed-off-by: Mattias Wadman <mattias.wadman@gmail.com> --- libavformat/flacenc.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) return 0; @@ -140,8 +140,14 @@ static int flac_write_picture(struct AVFormatContext *s, AVPacket *pkt) desc = e->value; desclen = strlen(desc); + blocklen = 4 + 4 + mimelen + 4 + desclen + 4 + 4 + 4 + 4 + 4 + pkt->size; + if (blocklen >= 1<<24) { + av_log(s, AV_LOG_ERROR, "Picture block too big %d >= %d\n", blocklen, 1<<24); + return AVERROR(EINVAL); + } + avio_w8(pb, 0x06); - avio_wb24(pb, 4 + 4 + mimelen + 4 + desclen + 4 + 4 + 4 + 4 + 4 + pkt->size); + avio_wb24(pb, blocklen); avio_wb32(pb, type);